Helm chart changes for Validator Scan Client Config (#3283)

pasindutennage-da · web-flow · commit 1c39148485c3 · 2025-12-08T17:28:14.000+01:00
Added BftScanConfig to Helm charts

[ci]

Signed-off-by: Pasindu Tennage &lt;pasindu.tennage@digitalasset.com&gt;
diff --git a/cluster/deployment/config.yaml b/cluster/deployment/config.yaml
@@ -172,3 +172,9 @@ validators:
     nodeIdentifier: 'validator-runbook'
     partyHint: 'digitalasset-testValidator-1'
     onboardingSecret: 'validatorsecret'
+    validatorApp:
+      scanClient:
+        scanType: "bft-custom"
+        seedUrls: [ "https://scan.sv-2-eng.scratchb.network.canton.global","https://scan.sv-3-eng.scratchb.network.canton.global" ]
+        threshold: 2
+        trustedSvs: ["Digital-Asset-Eng-2","Digital-Asset-Eng-3"]
diff --git a/cluster/expected/validator-runbook/expected.json b/cluster/expected/validator-runbook/expected.json
@@ -719,7 +719,18 @@
           "postgresName": "postgres",
           "secretName": "postgres-secrets"
         },
-        "scanAddress": "https://scan.sv-2.mock.global.canton.network.digitalasset.com",
+        "scanClient": {
+          "scanType": "bft-custom",
+          "seedUrls": [
+            "https://scan.sv-2-eng.scratchb.network.canton.global",
+            "https://scan.sv-3-eng.scratchb.network.canton.global"
+          ],
+          "threshold": 2,
+          "trustedSvs": [
+            "Digital-Asset-Eng-2",
+            "Digital-Asset-Eng-3"
+          ]
+        },
         "spliceInstanceNames": {
           "amuletName": "Amulet",
           "amuletNameAcronym": "AMT",
diff --git a/cluster/helm/splice-validator/templates/validator.yaml b/cluster/helm/splice-validator/templates/validator.yaml
@@ -108,8 +108,26 @@ spec:
         {{ else -}}
         - name: ADDITIONAL_CONFIG_BFT_SCAN
           value: |
+            {{- if .Values.scanClient }}
+              {{- if eq .Values.scanClient.scanType "trust-single" }}
+            canton.validator-apps.validator_backend.scan-client.type = "trust-single"
+            canton.validator-apps.validator_backend.scan-client.url = {{ .Values.scanClient.scanAddress | quote }}
+              {{- else if eq .Values.scanClient.scanType "bft"}}
+            canton.validator-apps.validator_backend.scan-client.type = "bft"
+            canton.validator-apps.validator_backend.scan-client.seed-urls = {{ .Values.scanClient.seedUrls | toJson }}
+              {{- else if eq .Values.scanClient.scanType "bft-custom"}}
+            canton.validator-apps.validator_backend.scan-client.type = "bft-custom"
+            canton.validator-apps.validator_backend.scan-client.seed-urls = {{ .Values.scanClient.seedUrls | toJson }}
+            canton.validator-apps.validator_backend.scan-client.trusted-svs = {{ .Values.scanClient.trustedSvs | toJson }}
+            canton.validator-apps.validator_backend.scan-client.threshold = {{ .Values.scanClient.threshold }}
+              {{- else }}
+            canton.validator-apps.validator_backend.scan-client.type = "bft"
+            canton.validator-apps.validator_backend.scan-client.seed-urls = {{ .Values.scanClient.seedUrls | toJson }}
+              {{- end }}
+            {{- else }}
             canton.validator-apps.validator_backend.scan-client.type = "bft"
             canton.validator-apps.validator_backend.scan-client.seed-urls = [ ${_scan.admin-api.address} ]
+            {{- end }}
         {{ end }}
         {{ if not .Values.useSequencerConnectionsFromScan }}
         - name: ADDITIONAL_CONFIG_STATIC_SEQUENCER_URL
diff --git a/cluster/helm/splice-validator/tests/init-containers_test.yaml b/cluster/helm/splice-validator/tests/init-containers_test.yaml
@@ -12,7 +12,6 @@ set:
   nodeIdentifier: "helm-mock-1-validator"
   validatorPartyHint: "helm-mock-1"
   validatorWalletUser: "mock-wallet-user-id"
-  scanAddress: "trusted.scan.mock.com"
   topup:
     enabled: false
   auth:
diff --git a/cluster/helm/splice-validator/tests/uis_test.yaml b/cluster/helm/splice-validator/tests/uis_test.yaml
@@ -10,7 +10,6 @@ set:
   nodeIdentifier: "helm-mock-1-validator"
   validatorPartyHint: "helm-mock-1"
   validatorWalletUser: "mock-wallet-user-id"
-  scanAddress: "trusted.scan.mock.com"
   spliceInstanceNames:
     networkName: MockNet
     networkFaviconUrl: https://mock.net/favicon.ico
diff --git a/cluster/helm/splice-validator/tests/validator_test.yaml b/cluster/helm/splice-validator/tests/validator_test.yaml
@@ -17,7 +17,6 @@ set:
   nodeIdentifier: "helm-mock-1-validator"
   validatorPartyHint: "helm-mock-1"
   validatorWalletUser: "mock-wallet-user-id"
-  scanAddress: "trusted.scan.mock.com"
   spliceInstanceNames:
     networkName: MockNet
     networkFaviconUrl: https://mock.net/favicon.ico
@@ -126,3 +125,99 @@ tests:
           value: ledger-api-user
       - exists:
           path: spec.template.spec.containers[?(@.name=='validator-app')].env[?(@.name=='ADDITIONAL_CONFIG_DISABLE_AUTH')].value
+
+  - it: "configures scan-client for trust-single mode"
+    set:
+      scanClient:
+        scanType: "trust-single"
+        scanAddress: "https://single.scan.url:5004"
+    documentSelector:
+      path: kind
+      value: Deployment
+    asserts:
+      - matchRegex:
+          path: spec.template.spec.containers[?(@.name=='validator-app')].env[?(@.name=='ADDITIONAL_CONFIG_BFT_SCAN')].value
+          pattern: "canton.validator-apps.validator_backend.scan-client.type = \"trust-single\""
+      - matchRegex:
+          path: spec.template.spec.containers[?(@.name=='validator-app')].env[?(@.name=='ADDITIONAL_CONFIG_BFT_SCAN')].value
+          pattern: 'canton.validator-apps.validator_backend.scan-client.url = "https://single.scan.url:5004"'
+
+  - it: "configures scan-client for standard bft mode, including multiple seedUrls"
+    set:
+      scanClient:
+        scanType: "bft"
+        seedUrls: [ "https://bft-node-1.url:5003", "https://bft-node-2.url:5003" ]
+    documentSelector:
+      path: kind
+      value: Deployment
+    asserts:
+      - matchRegex:
+          path: spec.template.spec.containers[?(@.name=='validator-app')].env[?(@.name=='ADDITIONAL_CONFIG_BFT_SCAN')].value
+          pattern: "canton.validator-apps.validator_backend.scan-client.type = \"bft\""
+      - matchRegex:
+          path: spec.template.spec.containers[?(@.name=='validator-app')].env[?(@.name=='ADDITIONAL_CONFIG_BFT_SCAN')].value
+          pattern: 'canton.validator-apps.validator_backend.scan-client.seed-urls = \["https://bft-node-1.url:5003","https://bft-node-2.url:5003"\]'
+
+  - it: "configures scan-client for bft-custom mode, including trustedSvs and threshold"
+    set:
+      scanClient:
+        scanType: "bft-custom"
+        seedUrls: [ "https://custom-node-A.com", "https://custom-node-B.com" ]
+        trustedSvs: [ "custom-sv-1", "custom-sv-2", "custom-sv-3" ]
+        threshold: 2
+    documentSelector:
+      path: kind
+      value: Deployment
+    asserts:
+      - matchRegex:
+          path: spec.template.spec.containers[?(@.name=='validator-app')].env[?(@.name=='ADDITIONAL_CONFIG_BFT_SCAN')].value
+          pattern: "canton.validator-apps.validator_backend.scan-client.type = \"bft-custom\""
+      - matchRegex:
+          path: spec.template.spec.containers[?(@.name=='validator-app')].env[?(@.name=='ADDITIONAL_CONFIG_BFT_SCAN')].value
+          pattern: 'canton.validator-apps.validator_backend.scan-client.seed-urls = \["https://custom-node-A.com","https://custom-node-B.com"\]'
+      - matchRegex:
+          path: spec.template.spec.containers[?(@.name=='validator-app')].env[?(@.name=='ADDITIONAL_CONFIG_BFT_SCAN')].value
+          pattern: 'canton.validator-apps.validator_backend.scan-client.trusted-svs = \["custom-sv-1","custom-sv-2","custom-sv-3"\]'
+      - matchRegex:
+          path: spec.template.spec.containers[?(@.name=='validator-app')].env[?(@.name=='ADDITIONAL_CONFIG_BFT_SCAN')].value
+          pattern: "canton.validator-apps.validator_backend.scan-client.threshold = 2"
+
+  - it: "configures scan-client for trust-single when nonSvValidatorTrustSingleScan is true"
+    set:
+      nonSvValidatorTrustSingleScan: true
+    documentSelector:
+      path: kind
+      value: Deployment
+    asserts:
+      - matchRegex:
+          path: spec.template.spec.containers[?(@.name=='validator-app')].env[?(@.name=='ADDITIONAL_CONFIG_NON_VALIDATOR_TRUST_SINGLE_SCAN')].value
+          pattern: "canton.validator-apps.validator_backend.scan-client.type = \"trust-single\""
+
+  - it: "defaults to BFT scan client with internal scan address if no config is set"
+    set:
+      svValidator: false
+    documentSelector:
+      path: kind
+      value: Deployment
+    asserts:
+      - matchRegex:
+          path: spec.template.spec.containers[?(@.name=='validator-app')].env[?(@.name=='ADDITIONAL_CONFIG_BFT_SCAN')].value
+          pattern: "canton.validator-apps.validator_backend.scan-client.type = \"bft\""
+      - matchRegex:
+          path: spec.template.spec.containers[?(@.name=='validator-app')].env[?(@.name=='ADDITIONAL_CONFIG_BFT_SCAN')].value
+          pattern: "canton\\.validator-apps\\.validator_backend\\.scan-client\\.seed-urls = \\[\\s*\\$\\{_scan\\.admin-api\\.address\\}\\s*\\]"
+
+  - it: "defaults to BFT scan client when scanType is not specified"
+    set:
+      scanClient:
+        seedUrls: [ "https://custom-node-A.com", "https://custom-node-B.com" ]
+    documentSelector:
+      path: kind
+      value: Deployment
+    asserts:
+      - matchRegex:
+          path: spec.template.spec.containers[?(@.name=='validator-app')].env[?(@.name=='ADDITIONAL_CONFIG_BFT_SCAN')].value
+          pattern: "canton.validator-apps.validator_backend.scan-client.type = \"bft\""
+      - matchRegex:
+          path: spec.template.spec.containers[?(@.name=='validator-app')].env[?(@.name=='ADDITIONAL_CONFIG_BFT_SCAN')].value
+          pattern: 'canton.validator-apps.validator_backend.scan-client.seed-urls = \["https://custom-node-A.com","https://custom-node-B.com"\]'
diff --git a/cluster/helm/splice-validator/values.schema.json b/cluster/helm/splice-validator/values.schema.json
@@ -9,6 +9,45 @@
       "type": "object",
       "description": "The authentication configuration for the application"
     },
+    "scanClient": {
+      "type": "object",
+      "description": "Configuration parameters for the scan client.",
+      "properties": {
+        "scanType": {
+          "type": "string",
+          "enum": [
+            "trust-single",
+            "bft",
+            "bft-custom"
+          ],
+          "description": "The type of scan client configuration."
+        },
+        "scanAddress": {
+          "type": "string",
+          "description": "scan address for trust single type."
+        },
+        "threshold": {
+          "type": "integer",
+          "default": 0,
+          "description": "bft-custom threshold. Optional unless scan-type is bft-custom."
+        },
+        "trustedSvs": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          },
+          "default": [],
+          "description": "List of trusted scans. Optional unless scan-type is bft-custom."
+        },
+        "seedUrls": {
+          "type": "array",
+          "items": {
+            "type": "string"
+          },
+          "description": "List of seed URLs for the scan client."
+        }
+      }
+    },
     "svValidator": {
       "type": "boolean",
       "description": "Whether this validator is part of an SV node"
@@ -23,6 +62,52 @@
     }
   },
   "allOf": [
+    {
+      "if": {
+        "properties": {
+          "scanClient": {
+            "type": "object"
+          }
+        },
+        "required": ["scanClient"]
+      },
+      "then": {
+        "properties": {
+          "scanClient": {
+            "properties": {
+              "seedUrls": {
+                "type": "array",
+                "minItems": 1,
+                "description": "List of seed URLs for the scan client. Must be non-empty if scanClient is set."
+              }
+            }
+          }
+        }
+      }
+    },
+    {
+      "if": {
+        "properties": {
+          "scanClient": {
+            "type": "object",
+            "properties": {
+              "scanType": {
+                "const": "bft-custom"
+              }
+            },
+            "required": ["scanType"]
+          }
+        },
+        "required": ["scanClient"]
+      },
+      "then": {
+        "properties": {
+          "scanClient": {
+            "required": ["threshold", "trustedSvs"]
+          }
+        }
+      }
+    },
     {
       "if": {
         "properties": {
@@ -87,7 +172,6 @@
         "migration",
         "nodeIdentifier",
         "persistence",
-        "scanAddress",
         "spliceInstanceNames"
       ],
       "properties": {
@@ -452,6 +536,29 @@
           "not": { "required": ["validatorWalletUser"] }
         }
       ]
+    },
+    {
+      "if": {
+        "properties": {
+          "scanClient": {
+            "type": "object"
+          }
+        },
+        "required": ["scanClient"]
+      },
+      "then": {
+        "not": {
+          "anyOf": [
+            {
+              "required": ["scanAddress"]
+            },
+            {
+              "required": ["nonSvValidatorTrustSingleScan"]
+            }
+          ]
+        },
+        "errorMessage": "If 'scanClient' is set, 'scanAddress' and 'nonSvValidatorTrustSingleScan' must not be set. All the scan specific configuration must be done inside the 'scanClient' object."
+      }
     }
   ]
 }
diff --git a/cluster/pulumi/common-validator/src/config.ts b/cluster/pulumi/common-validator/src/config.ts
@@ -9,9 +9,38 @@ import {
 import { clusterSubConfig } from '@lfdecentralizedtrust/splice-pulumi-common/src/config/config';
 import { z } from 'zod';
 
+export const ScanClientConfigSchema = z
+  .object({
+    scanType: z.enum(['trust-single', 'bft', 'bft-custom']),
+    scanAddress: z.string().optional(),
+    threshold: z.number().default(0),
+    trustedSvs: z.array(z.string()).default([]),
+    seedUrls: z.array(z.string()).min(1, 'seedUrls must contain at least one element.').optional(),
+  })
+  .refine(
+    data => {
+      if (data.scanType === 'bft-custom') {
+        const threshold = data.threshold;
+        const trustedSvsSize = data.trustedSvs.length;
+        const seedUrlsSize = data.seedUrls ? data.seedUrls.length : 0;
+        return trustedSvsSize >= threshold && seedUrlsSize >= threshold;
+      } else {
+        return true;
+      }
+    },
+    {
+      message:
+        "For 'bft-custom' scanType, both 'trustedSvs' and 'seedUrls' must have a length greater than or equal to 'threshold'.",
+      path: ['scanType'],
+    }
+  );
+
+export type ScanClientConfig = z.infer<typeof ScanClientConfigSchema>;
+
 export const ValidatorAppConfigSchema = z.object({
   additionalEnvVars: z.array(EnvVarConfigSchema).default([]),
   additionalJvmOptions: z.string().optional(),
+  scanClient: ScanClientConfigSchema.optional(),
 });
 
 export const ParticipantConfigSchema = z.object({
diff --git a/cluster/pulumi/validator-runbook/src/installNode.ts b/cluster/pulumi/validator-runbook/src/installNode.ts
@@ -201,6 +201,10 @@ async function installValidator(
     ),
   };
 
+  if (validatorConfig.validatorApp?.scanClient != null) {
+    delete validatorValuesFromYamlFiles.scanAddress;
+  }
+
   const newParticipantIdentifier =
     validatorConfig.newParticipantId ||
     validatorValuesFromYamlFiles?.participantIdentitiesDumpImport?.newParticipantIdentifier;
@@ -213,6 +217,7 @@ async function installValidator(
         ? true
         : validatorValuesFromYamlFiles.migration.migrating,
     },
+    scanClient: validatorConfig.validatorApp?.scanClient,
     metrics: {
       enable: true,
     },
